package jdbc;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

//使用预编译sql语句解决sql注入攻击问题
public class JDBCDemo7 {
    public static void main(String[] args) {
        try (Connection connection = DBUtil.getConnecting()){
            String sql="SELECT id,username,password,nickname " +
                    "FROM user1 " +
                    "WHERE username=? AND password=?";
            PreparedStatement ps=connection.prepareStatement(sql);
            ps.setString(1,"范传奇");
//            ps.setString(2,"1' OR '1='1");
            ps.setString(2,"123456");
            ResultSet rs=ps.executeQuery();
            if (rs.next()){
                System.out.println("登录成功");
            }else {
                System.out.println("登录失败");
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
